(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



I 



(12) 



(45) Date of publication and mention 
of the grant of tlie patent: 
27.10.1999 Bulletin 1999/43 

(21) Application number: 93108406.5 

(22) Date of filing: 25.05.1993 



(11) EP 0 575 765 B1 

EUROPEAN PATENT SPECIFICATION 

(51) lntCI.6: G06F 12/14 



(54) Secure file erasure 

Sichere Dateiloschung 
Effacement de fichier securise 



in 

iD 

m 
in 



LU 



(84) Designated Contracting States: 
DE FR GB 

(30) Priority: 23.06.1992 US 902607 

(43) Date of publication of application: 
29.12.1993 Bulletin 1993/52 

(73) Proprietor: Hughes Electronics Corporation 
El Segundo, California 90245-0956 (US) 

(72) Inventor: Kung, Kenneth C . 

Cerritos, California 90701 (US) 



(74) Representative: Witte, Alexander, Dr.-lng. et al 
Witte, Weller, Gahlert, Otten & Steil, 
Patentanwalte, 
Rotebuhlstrasse 121 
70178 Stuttgart (DE) 

(56) References cited: 
EP-A- 0 471 538 

. PATENT ABSTRACTS OF JAPAN vol. 013, no. 
256 (P-884)14 June 1989 & JP-A-01 053 241 
( BROTHER IND LTD ) 1 March 1989 



Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give 
notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in 
a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 
99(1) European Patent Convention). 



Printed by Jouve, 75001 PARIS (FR) 



1 



EP 0 575 765 B1 



2 



Description 

[0001] The present invention relates to a metliod of 
deleting a file stored on a permanent storage medium 

of a computer system. 

[0002] Generally, the present invention relates to 
computer systems, and more particularly, to methods of 
deleting (erasing) files stored on permanent storage me- 
dia of a computer system that eliminates the possibility 
of recovery of the data as a readable file by unauthorized 
persons. 

[0003] A traditional method for deleting a file from per- 
manent storage space (a hard disk, for example) is to 
delete the pointer contained in the file directory that 
points to the information block comprising the file. The 
actual contents of the information is left untouched. Us- 
ing a utility program, the contents of every block of stor- 
age space can be scanned for sensitive information. 
[0004] More particularly, although storage space is 
fed up for other uses, the file's data content is left un- 
touched until the storage space is actually used for an- 
other file storage. This is inherently dangerous because 
the user believes the data is gone, yet a skilled intruder 
can use powerful utility tools to scan for these deleted 
files. 

[0005] Another conventional method of file deletion 
requires a user to overwrite O's and 1's over the entire 
data file as to remove any magnetic remnants of the re- 
moved information. This method is slow because the 
system must write O's and 1 's many times to ensure the 
stored information cannot be recovered. 
[0006] Such a method, for example, is known from 
Patent Abstracts of Japan, Vol. 013, No. 256 (P-884) 
June 14, 1989. According to the disclosed method the 
directory area as well as the data area of the file to be 
deleted is ovenA/ritten by O's, thus requiring a compara- 
ble high processing time. 

[0007] Further, EP-A-0 471 538 discloses a data se- 
curity system in which the disk controller incorporates a 
hardware encryption circuit, which encodes data pass- 
ing from the host computer to the disk and decodes data 
passing in the reverse direction. Operation of the en- 
cryption circuit is controlled by a coded signal which is 
generated by means of a "key" which provides a multi- 
digit code. This document is not concerned with file 
erasure. 

[0008] It is therefore an object of the present invention 
to provide a methode for deleting files stored on perma- 
nent storage media. It is a further object to provide for 
a file deletion method whereby files are permanently de- 
leted without the possibility of recovery. It is a further 
object to provide for a file deletion method whereby files 
are deleted in a manner that does not permit recovery 
by a person other than the original user or someone au- 
thorized by the user, and thus permits recovery of the 
deleted file. 

[0009] In order to provide for the above and other ob- 
jectives and features, the present invention provides for 



a method wherein an encryption algorithm is used to en- 
crypt the data in a stored file when deleting the file. The 
encryption algorithm, such as a Type I or Type II encryp- 
tion algorithm employed in a Secure Data Network Pro- 
5 tocol (SDNP) processor manufactured by the assignee 
of the present invention, may be employed during file 
erasure to eliminate the weaknesses mentioned with re- 
gard to the conventional file erasure methods. The SD- 
NP processor includes an integrated circuit chip that in- 
corporates a selected one of the NSA-developed en- 
cryption algorithms. The Type 1 algorithm allows en- 
cryption of files containing classified information, and 
has a level of encryption that permits the encrypted files 
to be transferred to others without risk of exposure of 
the data contained in the files. The Type II algorithm is 
similar to the Type I algorithm but has been developed 
for nonclassified but sensitive data. 
[0010] In accordance with the present invention, 
when a user requests deletion of a stored file, the file is 
encrypted so that it is not readable. The erasure is per- 
formed by using the encryption algorithm so that the 
contents of the file cannot be retrieved by other users 
after the erasure. Both oneway and two way file deletion 
may be employed. In the one way deletion mode, if the 
user does not expect to "undelete" the data, a one-way 
encryption algorithm is used to increase the speed of 
secure deletion of the file. In the two way deletion mode, 
the user has the option to undelete the file by decrypting 
the encrypted file or disk storage area where the deleted 
file is stored, as long as this operation is done before 
the storage space is used by other software programs. 
[0011] When the secure deletion method of the 
present invention is used, no utility program can recover 
any information from the deleted file. To an intruder, the 
storage space is encrypted to look like random bits. 
Therefore, no information can be retrieved nor derived 
from the encrypted, deleted file. 
[0012] The present invention provides an enhance- 
ment for the existing file deletion function of the operat- 
ing system any computer system so that if a user wants 
to securely delete the contents of a particular file, the 
file will be unreadable by anyone else. Using the present 
file deletion scheme employing the encryption algorithm 
when deleting data files eliminates the vulnerability 
present in conventional file deletion methods. The 
present invention thus permits a user to erase files from 
a permanent storage space (a hard of floppy disk, for 
example) and in a manner that makes the file totally un- 
readable by others. 

[0013] The present invention also comprises a meth- 
od of processing a file stored on a permanent storage 

medium of a computer system that eliminate access to 
thefile by unauthorized persons. The method comprises 
selecting a stored file, encrypting the stored file using a 
random key, and then deleting a file directory pointer to 
the data file. The random key is stored externally and is 
in possession of the authorized user of the computer 
system. To recover the data, the method restores the 
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file directory pointer to tine data file, and decrypts the 
encrypted stored file using the same random, externally 
stored, key used to encrypt the file to permit access to 
the data contained in the stored file. 
[0014] The various features and advantages of the 
present invention may be more readily understood with 
reference to the following detailed description taken in 
conjunction with the accompanying drawing, and in 
which the sole figure illustrates a method in accordance 
with the principles of the present invention that securely 
deletes a file stored on a storage medium of a computer 
system. 

[0015] Referring to the drawing figure, it illustrates a 
secure file erasure method 10 in accordance with the 
principles of the present invention that securely and per- 
manently deletes a file 20 stored on a storage medium 
15 of a computer system 16. The computer system 16 
includes a hard disk employed as the storage medium 
1 5, and has a keyboard or mouse device (not shown) to 
provide inputs to the computer system 1 6. The computer 
system 16 includes an operating system that contains 
a conventional delete file command as one of its func- 
tions. The delete file command is employed to delete 
files 20 stored on the storage medium 15. 
[0016] In accordance with the principles of the present 
invention, if a user of the computer system 16 desires 
to delete the file 20 stored on the storage medium 15, 
the user enters a delete file commend 11 by selecting 
from a menu on a computer screen (not shown) or by 
typing a delete file command sequence on the key- 
board. Afirmware processing routine in accordance with 
the principles of the present invention that is stored in a 
ROM or as an application program that runs on the com- 
puter system 1 0 intercepts the delete file command and 
prompts the user on the display screen 17 if a secure 
deletion of the stored file 20 is desired, illustrated by de- 
cision block 1 2. If no secure file deletion is desired, then 
the method 10 of the present invention proceeds to a 
normal delete file process 14. This normal delete file 
process may be a traditional file deletion process de- 
scribed in the Background section, wherein a pointer 
contained in the file directory of the storage medium 15 
that points to the information blocks comprising the file 
20 is deleted. In this situation, the actual contents of the 
information in the file 20 is left untouched. 
[0017] If, however, a secure deletion of the file 20 is 
desired, then an encryption algorithm 13 is used to en- 
crypt the file 20 whose contents is to be deleted. The 
encryption algorithm 13 may comprise a Type I or Type 
II algorithm employed in a Secure Data Network Proto- 
col processor developed by the assignee of the present 
invention. This algorithm is incorporated in an integrated 
circuit chip that may be purchased from the National Se- 
curity Administration (NSA). The chip is incorporated in 
a Secure Data Network Protocol (SDNP) processor 
manufactured by the assignee of the present invention, 
which may be employed for the purposes of encryption 
of the file 20. Once the file 20 has been encrypted by 



the encryption algorithm 13 the method proceeds to the 
normal deletion process step 14 which deletes the di- 
rectory pointer. 

[0018] The specifics of the encryption algorithm em- 

5 ployed in the present method 10 are as follows. Both 
one way and two way file deletion modes 1 7, 1 8 may be 
employed using the encryption algorithm 13. In the one 
way deletion mode 1 7, wherein the user does not expect 
to "undelete" the data, a one-way encryption algorithm 
is used to increase the speed of secure deletion of the 
file 20. In the one way mode 17, the data in the file 20 
is encrypted using a random external key 21 , and then 
the key 21 is automatically destroyed 1 9 and cannot be 
used to recover the data. Consequently, without the key 
21 , the data cannot be decrypted and is thus unreadable 
by anyone. 

[001 9] In the two way mode 1 8, the data in the file 20 

is encrypted using the random key 21 , but the key 21 is 
not destroyed 1 9 and may be used by the user to recover 
the data. The key 21 is stored or retained by the user in 
a secure location external to the computer system 16. 
In the two way deletion mode 1 8, the user has the option 
to undelete the file 20 by restoring the directory pointer 
23 decrypting 24 the encrypted file 20 or disk storage 
area where the deleted file 20 is stored, as long as this 
operation is done before the storage space is used by 
other software programs. Consequently, the data can- 
not be decrypted and is thus unreadable by anyone with- 
out the key 21. If the secure file deletion method 10 of 
the present invention is used, no utility program can re- 
cover any information from the deleted file 20. To an in- 
truder, the storage space is encrypted to look like ran- 
dom bits. Therefore, no information can be retrieved nor 
derived from the encrypted, deleted file 20. 
[0020] In summary, then, the method 1 0 of present in- 
vention comprises processing the file 20 stored on the 
permanent storage medium 15 of the computer system 
16 which eliminate access to the file by unauthorized 
persons. The method includes selecting the stored file 
20 and entering a delete command 11, encrypting the 
stored file 20 using a random key 21 and by operating 
on the file 20 with the encryption algorithm 13, and then 
deleting 14 a file directory pointer to the file 20. To re- 
cover the file 1 4, the method 1 0 restores the file directory 
pointer 23 to the file 20, and decrypts 24 the encrypted 
stored file 20 using the random key 21 to permit access 
to the data contained in the stored file 20. 
[0021] The present invention thus permits a user to 
erase files 20 from a permanent storage space and in a 
manner that makes the file totally unreadable by others. 
The erasure is performed by using the encryption algo- 
rithm so that the contents of the file 20 cannot be re- 
trieved after the erasure. This is different from the tradi- 
tional file erasure method discussed in the Background 
section where only the file directory information is delet- 
ed or the pointer to the file 20 is deleted. In this conven- 
tional method storage space is freed up for other uses, 
the file's data content is left untouched until the storage 
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space is actually used for storage of another file. This is 
inherently dangerous because the user believes the da- 
ta is gone, yet a skilled intruder can use powerful utility 
tools to scan for these deleted files. By using the present 
file erasure method employing an encryption algorithm 
when deleting files 20 eliminates this vulnerability. 
[0022] Thus there has been described new and im- 
proved methods of deleting (erasing) files stored on per- 
manent storage media of a computer system that elim- 
inates the possibility of recovery of the data as a read- 
able file by unauthorized persons. 



ist, da3 es auBerdem, zu einem Zeitpunkt vor 
dem Zerstoren des Verzeichnis-Zeigers, den 
Schritt umfaBt, 

die gespeicherte Datei (20) unter Verwendung 
5 eines Zufallsschlussels (21) zu verschlussein 

(13). 

2. Verfahren (10) nach Anspruch 1, zusatzlich ge- 
kennzeichnet durch den Schritt, nach dem unter 

10 Verwendung des Zufallsschlussels (21) erfolgten 
Verschlussein (13) der gespeicherten Datei (20) 
den Zufallsschlussel (21) zu zerstoren (19). 



10 



Claims 

1 . A method (1 0) of deleting a file (20) stored on a per- 
manent storage medium (1 5) of a computer system 
(16), said method (10) comprising the steps of: 



3. Verfahren (10) nach Anspruch 1, welter gekenn- 
15 zeichnet durch die Schritte: 

Wiederherstellen (23) des auf die Datei (20) 
weisenden Dateiverzeichnis-Zeigers zu einem 
Zeitpunkt vor dem Uberschreiben von Spei- 
cherstellen der verschlusselten Datei (20); und 
Entschlussein (24) der verschlusselten gespei- 
cherten Datei (20) unter Verwendung des Zu- 
fallsschlussels (21), um einen Zugriff auf die 
gespeicherte Datei (20) zu ermoglichen. 



selecting responsive to a user command, (11) 20 
a stored file (20) for deletion; and 
deleting (14) a file directory pointer to the file 

(20); 

the method being characterized by further com- 
prising, at a time prior to deleting the directory 25 
pointer, the step of encrypting (13) the stored 
file (20) using a random key (21). 



Revendications 



2. The method (10) of Claim 1 further characterized 

by the step of: 30 

after encrypting (13) the stored file (20) using 
the random key (21), destroying (19) the ran- 
dom key (21). 

35 

3. The method (10) of Claim 1 further characterized 
by the steps of: 



1. Precede (10) d'effacement d'un fichier (20) stocke 
sur un support (15) de stockage permanent d'un 
systeme (16) informatique, ledit precede (10) com- 
prenant les etapes consistant a : 

selectionner (1 1 ), en reponse a un ordre de I'uti- 
lisateur, un fichier stocke (20) pour son 
efface ment ; et 

effacer (14) un pointeur d'un repertoire de fi- 
chiers pointant sur le fichier (20) ; 
le precede etant caracterise par le fait qu'il com- 
prend en outre, a un instant anterieur a I'effa- 
cement du pointeur de repertoire, I'etape con- 
sistant a : 

encrypter (13) le fichier stocke (20) en utilisant 
une cle aleatoire (21). 

2. Procede (10) selon la revendication 1, caracterise 
en outre par I'etape consistant a : 



at a time prior to ovenwriting of storage loca- 
tions of the encrypted file (20), restoring (23) 40 
the file directory pointer to the file (20); and 
decrypting (24) the encrypted stored file (20) 
using the random key (21 ) to permit access to 
the stored file (20). 

45 

Patentanspriiche 



1. Verfahren (10) zum Loschen einer in einem Perma- 
nentspeichermedium (15) eines Computersystems 50 
(1 6) gespeicherten Datei (20), wobei das Verfahren 
(10) die Schritte aufweist: 

Auswahl (11) einer zu loschenden gespeicher- 
ten Datei (20) durch einen Benutzerbefehl, und 55 
Zerstoren (14) eines auf die Datei (20) weisen- 
den Dateiverzeichnis-Zeigers; 
wobei das Verfahren dadurch gekennzeichnet 



apres avoir encrypte (13) le fichier stocke (20) 
a I'aide de la cle aleatoire (21), a detruire (19) 
la cle aleatoire (21) . 

3. Procede (10) selon la revendication 1, caracterise 
en outre par les etapes consistant a : 

a un instant anterieur a la reecriture d'empla- 
cements de stockage du fichier encrypte (20), 
retablir (23) le pointeur de repertoire de fichiers 
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pointant sur le fichier (20) ; et 
decrypter (24) le fichier stocke encrypte (20) a 
raide de la cle aleatoire (21 ) pour permettre un 
acces au fichier stocke (20). 
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